a paper explaining some reasons not to trust Matrix. includes pearls like “a homeserver can silently add user to a E2EE group and decrypt all the following messages and that’s not considered a vulnerability”.